26aca2678efb57982f1e7085ba7c1f3d48030d7855610658b721e35adec05e23

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 12:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Deluxe_StatistiquePVA.exe
Size

427KB
MD5

541876f0ec6ccc1a1330fdf0e1a1ab02
SHA1

da1d4170a2d1efa2b963c1311621edb458d118c3
SHA256

26aca2678efb57982f1e7085ba7c1f3d48030d7855610658b721e35adec05e23
SHA512

d873c7157497741bfc18ff8ec5918f64a43b955b84490460410d03a2f0bb66bafbf49916051bc56b4ede88c904d530e5213ae8911149ed353b00d3a6b17c037a
SSDEEP

12288:ayqjSrPCa7r1NmpXmsu8wKdEyyisRxBPLsMJI2IGZTJ:ayhbkj3dB0C2TJ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
920	acmsetup.exe

Loads dropped DLL 1 IoCs

pid	Process
920	acmsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Deluxe_StatistiquePVA.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	setup16.exe
File opened (read-only)	\??\U:	setup16.exe
File opened (read-only)	\??\T:	setup16.exe
File opened (read-only)	\??\O:	setup16.exe
File opened (read-only)	\??\N:	setup16.exe
File opened (read-only)	\??\L:	setup16.exe
File opened (read-only)	\??\Y:	setup16.exe
File opened (read-only)	\??\V:	setup16.exe
File opened (read-only)	\??\J:	setup16.exe
File opened (read-only)	\??\Z:	setup16.exe
File opened (read-only)	\??\W:	setup16.exe
File opened (read-only)	\??\S:	setup16.exe
File opened (read-only)	\??\R:	setup16.exe
File opened (read-only)	\??\M:	setup16.exe
File opened (read-only)	\??\H:	setup16.exe
File opened (read-only)	\??\G:	setup16.exe
File opened (read-only)	\??\Q:	setup16.exe
File opened (read-only)	\??\P:	setup16.exe
File opened (read-only)	\??\K:	setup16.exe
File opened (read-only)	\??\I:	setup16.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ta00920	acmsetup.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper\Exit Level	setup16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)	setup16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper	setup16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper\Exit Level\ = "Running"	setup16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper\Exit Level\ = "2"	acmsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper\Exit Level\ = "Running"	acmsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1488	1136	Deluxe_StatistiquePVA.exe	87
PID 1136 wrote to memory of 1488	1136	Deluxe_StatistiquePVA.exe	87
PID 1136 wrote to memory of 1488	1136	Deluxe_StatistiquePVA.exe	87
PID 1488 wrote to memory of 920	1488	setup16.exe	89
PID 1488 wrote to memory of 920	1488	setup16.exe	89
PID 1488 wrote to memory of 920	1488	setup16.exe	89

C:\Users\Admin\AppData\Local\Temp\Deluxe_StatistiquePVA.exe
"C:\Users\Admin\AppData\Local\Temp\Deluxe_StatistiquePVA.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\setup16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe -m "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe"
  2⤵
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1488
- - F:\~MSSETUP.T\~msstfqf.t\acmsetup.exe
    F:\~MSSETUP.T\~msstfqf.t\acmsetup /T setup.stf /S C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP1.CAB

Filesize
311KB

MD5
e0bba194ba3b37cf01e0968d5b069f0c

SHA1
b736547ff0a752a51e65c6eb888fc92f0f1046fb

SHA256
8a92c195e0f651f9f04519d497092a355b9e6d56a3ced675e6e7cd79b46d865f

SHA512
1e3b1434b190cecc2e70d8190d7a442904aad41dbbad9fb0df4aee403029bc6b798e85c5816489ee4c91aa527e0d368e2137ce28f5093ddfa48bd9acfcdd91e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.LST

Filesize
1KB

MD5
9760e0caa7049cdc3f293a785f53ce5d

SHA1
0a5edb3c3b78c63476d7641f43d9c9d3ddcb92a6

SHA256
1e8718c5204f03b54c06a9f05d35cb89959b2eb3788073297aa8c2dcd8528ee4

SHA512
19d3291f79cd4c129fd70bd644d6a4936a30d5700d2f7533ae2d805a40d28530ec06786b35dcb5327d23ff0e0bfe8002456c189efa49eb0dc9be05ea5c5b6de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
72KB

MD5
575436cb236e86d0f4e932c76a317019

SHA1
c0e259ab69c43dc07831a401890c4c7d83a51b37

SHA256
960e235a299af4f1c961c33ab353932163b374938b4976ce83af044a151de281

SHA512
13c2d5682b4800178150111b0e112606bdafbe885165f89b6512f6f739fba2a7da4a7b82a53f6562f3065c2c6c6e024d1025557ba2d24a69833a9295594eb8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.inf

Filesize
2KB

MD5
e73bbbb84789ff3d359faf6ef11e6e6f

SHA1
3a6770792683f490344d1aac592c31eb05316b2a

SHA256
6fcb4c5e8d51c664958a399f015ff4b37831c251dd71f9e9e405daadbcf0877e

SHA512
6bc739e16f853d98fd16626e64e9a6b9fc43b74fba6683b9cf2d523744d1c413ab35206180366d9670f9f555ff616a618808f507575ddda8be63c0d3f9c74711

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.stf

Filesize
1KB

MD5
1e59e72c460e20b08ddfd19a360e762a

SHA1
0094b435f30a0f55bafb2ca5fb4a1d9513dce041

SHA256
8552afcaa5667fc84bdb653e8651e6995e63c870dee10e2bfd5e1bd8a32caccd

SHA512
83fe219b7a9c46ae63a5437a766dc666809455c74d344baeba72161ee4dee579882e7d361b3ac23b749c9b594b06aa30678f661d093f20ad9b0516d2ed2ea3a7

Download Submit
F:\~MSSETUP.T\~msstfqf.t\MSSETUP.dll

Filesize
280KB

MD5
077b1c94a0935d975ecd765fe6b99d98

SHA1
7973e2d7ccecca1bdcc2d0f678dbd84c46ed2486

SHA256
f11e250de4de2040821cc883fccdc1f9407f69358d1213698d6fb6c9bd123115

SHA512
9acd3ec7d0cf918a96ace80658226b3245dc4a7329159f4c359fd460bd40f12050639d246f0fdb3b0e5359a1fea861bea7db8a85e4767825103f513ff9adf346

Download Submit
F:\~MSSETUP.T\~msstfqf.t\_MSSETUP._Q_

Filesize
634B

MD5
dfcb51bb83408248b56d0871d7b0092e

SHA1
1c63799c0605c56f4d1b1c88256a9f5121424b97

SHA256
5468cca64f1a5a0e39c37d058a6f8215b657b64f18e5998fec06ca93a45f5ef0

SHA512
c9e145a1f766c2031a5fc86c4335dd072010e7a57c95bb76020222ae69bf804538c32b43b637a5004eeb8999c3a9bde7418ab436ab3829a1d10bbdc92140f556

Download Submit
F:\~MSSETUP.T\~msstfqf.t\acmsetup.exe

Filesize
372KB

MD5
94a734d174eb1409437cdc43b26eacd4

SHA1
a00a8192706b9476aa8b411d5319d055bad24630

SHA256
7dca1e174d0768f8d039ce4d2e181245636b3728ac556d5a786cfaf7daada097

SHA512
bc44b0b87e85a8e921474564ce8ea8610b94ed34a7d31ccc9732a918e19e2ee8aac730bc1fb2a4c0b831ce82500c3b0a4a6297466aac6668e85b6bf3865eb0e6

Download Submit
F:\~MSSETUP.T\~msstfqf.t\acmsetup.exe

Filesize
372KB

MD5
94a734d174eb1409437cdc43b26eacd4

SHA1
a00a8192706b9476aa8b411d5319d055bad24630

SHA256
7dca1e174d0768f8d039ce4d2e181245636b3728ac556d5a786cfaf7daada097

SHA512
bc44b0b87e85a8e921474564ce8ea8610b94ed34a7d31ccc9732a918e19e2ee8aac730bc1fb2a4c0b831ce82500c3b0a4a6297466aac6668e85b6bf3865eb0e6

Download Submit
F:\~MSSETUP.T\~msstfqf.t\mssetup.dll

Filesize
280KB

MD5
077b1c94a0935d975ecd765fe6b99d98

SHA1
7973e2d7ccecca1bdcc2d0f678dbd84c46ed2486

SHA256
f11e250de4de2040821cc883fccdc1f9407f69358d1213698d6fb6c9bd123115

SHA512
9acd3ec7d0cf918a96ace80658226b3245dc4a7329159f4c359fd460bd40f12050639d246f0fdb3b0e5359a1fea861bea7db8a85e4767825103f513ff9adf346

Download Submit
F:\~MSSETUP.T\~msstfqf.t\setup.stf

Filesize
1KB

MD5
1e59e72c460e20b08ddfd19a360e762a

SHA1
0094b435f30a0f55bafb2ca5fb4a1d9513dce041

SHA256
8552afcaa5667fc84bdb653e8651e6995e63c870dee10e2bfd5e1bd8a32caccd

SHA512
83fe219b7a9c46ae63a5437a766dc666809455c74d344baeba72161ee4dee579882e7d361b3ac23b749c9b594b06aa30678f661d093f20ad9b0516d2ed2ea3a7

Download Submit
memory/920-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/920-64-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads